Prosecutors: Backdoor and digital key gave him near unfettered access.

A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider.

Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security by the district attorney's office of Harris County in Texas, according to court documents. He worked as a medium-level administrator from September 2011 until he was terminated on February 15, 2012, according to prosecutors and a company executive. A day after his dismissal, Hostgator officials discovered a backdoor application that allowed Gisse to log in to servers from remote locations, including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to disguise his malware as a widely used Unix administration tool to prevent his superiors from discovering the backdoor process, prosecutors said.

"The process was named 'pcre', a common system file, in order to disguise the true purpose of the process which would grant an attacker unauthorized access into Hostgator's computer network," a Houston Police Department investigator and the document's "affiant," Gordon M. Garrett, wrote in an affidavit. "Complainant told affiant he searched Hostgator's computer network and found the unauthorized 'pcre' process installed on 2723 different Hostgator servers within the computer network."

Gisse didn't return a voicemail and e-mail seeking comment for this report. A Court docket shows he is scheduled to be arraigned next month and gives no indication he has entered a plea in the case. He's being held at the Harris County Jail on $20,000 bond, a spokeswoman at the district attorney's office said.

The backdoor allowing near-unfettered "root" access to Apache Web server systems was possible because Gisse obtained a Hostgator digital SSH key and transferred it to computers under his control, including one at efnet.pe, Garrett alleged. "The defendant then attempted to penetrate the Hostgator computer network from 'efnet.pe' using the Hostgator digital SSH key," Garrett wrote.

Hostgator COO Patrick Pelanne, referred to as the "complainant" in the affidavit, told Ars the backdoor was discovered in February 2012, the same week that Gisse was terminated. While his root access gave Gisse access to private data stored on a large number of customer websites, there's no evidence he used it, the Hostgator executive said.

"He did not access customer content," Pelanne told Ars. "We caught it well before he had any chance to do any of that."

Given the rapid discovery, the malware was on Hostgator systems for less than a month. Although the affidavit alleges that the backdoor was discovered in February of 2013, Pelanne said that date is erroneous and is most likely the result of a typo. Harris County prosecutors weren't available to confirm that the 2013 date included in court documents was wrong.

Gisse took other steps to conceal the compromise of Hostgator systems. On February 19, three days after Pelanne said the backdoor came to light, investigators found that two standard network diagnostic tools had been modified on the Web host's network. Specifically, the "ps" and "netstat" programs—which allow administrators to enumerate all running applications and network connections respectively—had been hacked to hide certain activities. Senior Hostgator security personnel "were activated to respond to, identify, and neutralize the intrusion incident," the affidavit said.

While Gisse is presumed innocent until proven otherwise, the unconfirmed narrative provides a potent reminder of the threats that lurk from even mid-level employees inside companies that host sensitive information. Having secret control over 2,700 servers inside a Web hosting provider is no small matter, considering each machine can be used for hundreds or possibly thousands of individual websites. But the alleged series of events also highlights the measures employers can take to keep tabs on rogue workers. Among other things, a desktop monitoring system that took screenshots of employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.

70 Reader Comments

In this case, it was a malevolent employee; in others, hackers or black hats seeking to utilize webservers for malware distribution, redirects for phishing scams, or possibly DDOS. To be certain your webserver and website are not compromised for use in an attack on the government, companies, or individuals, you should monitor for changes in your files, specifically your website files: .html, .css, .js, .htaccess, .php, .rb, etc.

EDIT: oh, btw, a co-worker of mine who is also ex-HG got raided by the FBI when this first happened. HG appears to have deliberately misled the FBI either though stupidity or spite, and it's looking more like the latter.

EDIT: oh, btw, a co-worker of mine who is also ex-HG got raided by the FBI when this first happened. HG appears to have deliberately misled the FBI either though stupidity or spite, and it's looking more like the latter.

Thats an incredibly nasty website, I hope you are not associated with it. Whilst he may (or may not) be guilty (and an idiot if he is guilty), he does deserve the right to a trial before he is _found_ guilty.

EDIT: oh, btw, a co-worker of mine who is also ex-HG got raided by the FBI when this first happened. HG appears to have deliberately misled the FBI either though stupidity or spite, and it's looking more like the latter.

Thats an incredibly nasty website, I hope you are not associated with it. Whilst he may (or may not) be guilty (and an idiot if he is guilty), he does deserve the right to a trial before he is _found_ guilty.

Cyber-bullying is low, cheap and uncalled for.

The website has been around for almost a year. Check the whois. It's not mine.

A screencap a minute? Good Lord, if I tried this with my employees I'd have a staff of zero in a matter of days. They're trusted with the inner workings of all the IP in the company daily. Can't very well play Big Brother on them then.

A screencap a minute? Good Lord, if I tried this with my employees I'd have a staff of zero in a matter of days. They're trusted with the inner workings of all the IP in the company daily. Can't very well play Big Brother on them then.

EDIT: oh, btw, a co-worker of mine who is also ex-HG got raided by the FBI when this first happened. HG appears to have deliberately misled the FBI either though stupidity or spite, and it's looking more like the latter.

You can't expect much from a hosting company whose recruiting program is "Can you spell Linux? Call us!" billboards beside the freeway...

A screencap a minute? Good Lord, if I tried this with my employees I'd have a staff of zero in a matter of days. They're trusted with the inner workings of all the IP in the company daily. Can't very well play Big Brother on them then.

Well, at least not until after you've already been burned once by a rogue employee. After that you find that you can play Big Brother after all, and that, in fact, you come to enjoy it.

EDIT: oh, btw, a co-worker of mine who is also ex-HG got raided by the FBI when this first happened. HG appears to have deliberately misled the FBI either though stupidity or spite, and it's looking more like the latter.

Thats an incredibly nasty website, I hope you are not associated with it. Whilst he may (or may not) be guilty (and an idiot if he is guilty), he does deserve the right to a trial before he is _found_ guilty.

Cyber-bullying is low, cheap and uncalled for.

The website has been around for almost a year. Check the whois. It's not mine.

Ok, sorry for jumping the gun and pointing fingers. But it still leaves the fact whoever put that sort of childish drivel up on the web should be downright ashamed of themselves.

a desktop monitoring system that took screenshots of employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.

With only 50~ seconds of work before you need to close your malicious code, I hope you're a fast typer.

Wonder why he didn't write it from somewhere else, put it up on some random file hosting site, and just download it directly to the servers in 1 minute increments.

I used to work at HostGator, and it wouldn't matter, because obviously you don't know when they are taking a screenshoot.

They also monitor your traffic, so they'll see you downloading files and they log everything you do in SSH so they can go through it later.

This *was* the incident that caused everything to get locked down in arbitrary ways and ways sometimes a hinderance to doing one's job. I'll bet vpstool exec is still stripping all metacharacters to this day.

A screencap a minute? Good Lord, if I tried this with my employees I'd have a staff of zero in a matter of days. They're trusted with the inner workings of all the IP in the company daily. Can't very well play Big Brother on them then.

Well, at least not until after you've already been burned once by a rogue employee. After that you find that you can play Big Brother after all, and that, in fact, you come to enjoy it.

A tad frightening, but true...

It goes without saying, though, that there has to be some expectation of security and audits in any organization.

This is a very good example of why not to trust cloud services with sensitive data. You don't know where your data is, it's just "out there" somewhere. You have to rely on the integrity of unknown employees at datacenters in who-knows-where, which you have no way of verifying.

I'm sure I'm not the first to daydream about setting up some kind of backdoor or remote server on the network of an employer before I left. Mostly just idle fantasies of how it would be funny to prank them months months later by putting a trolly image on their digital signage or something stupid like that...

...but there's no way in hell I would actually do it. Brainstorming how you *could* do something is fun but actually messing with someone's operation and/or earning some nice criminal charges doesn't sound quite worth the couple of chuckles you might get out of it.

a desktop monitoring system that took screenshots of employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.

With only 50~ seconds of work before you need to close your malicious code, I hope you're a fast typer.

Wonder why he didn't write it from somewhere else, put it up on some random file hosting site, and just download it directly to the servers in 1 minute increments.

I used to work at HostGator, and it wouldn't matter, because obviously you don't know when they are taking a screenshoot.

They also monitor your traffic, so they'll see you downloading files and they log everything you do in SSH so they can go through it later.

I once had to set such a system up for a parent with a teenager they needed to watch. This kind of stuff is fully warranted, anything else is too easily circumvented.

My question is: do they let you bring home computers to use on breaks/keep your personal stuff on? I'd get antsy if I couldn't glance at my e-mail every few hours. It'd be something I learned to live with...eventually...even thinking about it is making me antsy.

Its possible this is being spun around a bit. Techs can be lazy and not to things the proper way to save time. Considering the guy has not done anything with it, looks like there may be more to this story or less than there really is.

Every PC I service I install a remote assistance tool. I tell my customers about it. I have them initial they know about it. I install in case I missed anything or they need future help, I can help them. Most of the time, there is something extra they need.

I used to install it without consent, but after reading so many bad situations, I added it to my contract. Most people don't know how to follow simple instructions and most PC service can be handle remotely.

This is a very good example of why not to trust cloud services with sensitive data. You don't know where your data is, it's just "out there" somewhere. You have to rely on the integrity of unknown employees at datacenters in who-knows-where, which you have no way of verifying.

The only way to use the cloud is with crypto.

If I were in the cloud biz, I would insist the system is set up so that my company couldn't read hosted data. Then when law enforcement shows up, I would say the only thing I can provide is meta data. Server logs and the cutomer's account data is all I have. But you are welcome to the encrpted dara should the customer provide a key when waterboarded.

Every PC I service I install a remote assistance tool. I tell my customers about it have them initial they know about it. I install in case I missed anything or they need future help, I can help them. Most of the time, there is something extra they need.

I used to install it without consent, but after reading so many bad situations, I added it to my contract.

I can't imagine ever adding a remote access tool to a client's computer without consent from them or management. Good you picked up on that issue, but I'd still be very nervous about any of the non-consenting clients finding out. That's risking serious criminal charges as you've definitely got access to their webcam, private data etc, even if you never use it.

Have you gone back to inform them, or are you just hoping they'll never find out?

Not sure if that suggests that he did it himself, but we can look at some other things.

http://bosseyedness.com/ goes to the exact same place. Some of the registration information for that site references suspected.org for both nameservers and contact information, which is a defunct, but very fishy looking site. It was registered by a "John Dillinger" from Red Bank, NJ, which I can only assume is a pseudonym. The phone number given is (215) 821-7668. It is simultaneously described as a VoIP phone, a landline registered to a Mcilwaine, and a cell phone. I wouldn't put any stock into that.

http://suspected.org is registered to a Matt Horn, but I'm really not sure if that matters. Adam Deltree was also mentioned, but I'm not sure if that's the privacy service contact.

a desktop monitoring system that took screenshots of employee workstations in one-minute increments helped Hostgator officials quickly zero in on Gisse.

With only 50~ seconds of work before you need to close your malicious code, I hope you're a fast typer.

Wonder why he didn't write it from somewhere else, put it up on some random file hosting site, and just download it directly to the servers in 1 minute increments.

I used to work at HostGator, and it wouldn't matter, because obviously you don't know when they are taking a screenshoot.

They also monitor your traffic, so they'll see you downloading files and they log everything you do in SSH so they can go through it later.

This *was* the incident that caused everything to get locked down in arbitrary ways and ways sometimes a hinderance to doing one's job. I'll bet vpstool exec is still stripping all metacharacters to this day.

Hmm? You mean the no root? That's not just because of this, HG got bought out by the company that owns BlueHost, who also have that same policiy, I myself left before this guy even got there so anything he did had nothing to do with my job. I had full root and didn't do stupid shit.

Every PC I service I install a remote assistance tool. I tell my customers about it have them initial they know about it. I install in case I missed anything or they need future help, I can help them. Most of the time, there is something extra they need.

I used to install it without consent, but after reading so many bad situations, I added it to my contract.

I can't imagine ever adding a remote access tool to a client's computer without consent from them or management. Good you picked up on that issue, but I'd still be very nervous about any of the non-consenting clients finding out. That's risking serious criminal charges as you've definitely got access to their webcam, private data etc, even if you never use it.

Have you gone back to inform them, or are you just hoping they'll never find out?

All of my customers for the most part are repeats. I don't work at the server level. I don't do malicious stuff. I put the tools on my customers PCs so I don't have to drive out there to do the work. I have since migrated to adding this as a monthly subscription. Most if not all now know about it if they came back. Most of my customers come back every 6 months to a year.

Good. now he can join the dude over at Anandtech that lost his job at university some years back for installing folding apps on the computers without the consent of the University.......Hello? Common sense? Are you home?

This is a very good example of why not to trust cloud services with sensitive data. You don't know where your data is, it's just "out there" somewhere. You have to rely on the integrity of unknown employees at datacenters in who-knows-where, which you have no way of verifying.

And yet we're constantly reminded "the cloud is the future." I'm still wary of putting anything in a cloud, even mundane stuff because reliablity in general is still not assured. Between malicious employees, lazy or outdated data encryption and just plain downtime issues I don't think the cloud is anywhere near ready yet.